resource quota review: fix OOM risks, close quota gaps, add HA protections

Phase 1 - OOM fixes: - dashy: increase memory limit 512Mi→1Gi (was at 99% utilization) - caretta DaemonSet: set explicit resources 300Mi/512Mi (was at 85-98%) - mysql-operator: add Helm resource values 256Mi/512Mi, create namespace with tier label (was at 92% of LimitRange default) - prowlarr, flaresolverr, annas-archive-stacks: add explicit resources (outgrowing 256Mi LimitRange defaults) - real-estate-crawler celery: add resources 512Mi/3Gi (608Mi actual, no explicit resources) Phase 2 - Close quota gaps: - nvidia, real-estate-crawler, trading-bot: remove custom-quota=true labels so Kyverno generates tier-appropriate quotas - descheduler: add tier=1-cluster label for proper classification Phase 3 - Reduce excessive quotas: - monitoring: limits.memory 240Gi→64Gi, limits.cpu 120→64 - woodpecker: limits.memory 128Gi→32Gi, limits.cpu 64→16 - GPU tier default: limits.memory 96Gi→32Gi, limits.cpu 48→16 Phase 4 - Kubelet protection: - Add cpu: 200m to systemReserved and kubeReserved in kubelet template Phase 5 - HA improvements: - cloudflared: add topology spread (ScheduleAnyway) + PDB (maxUnavailable:1) - grafana: add topology spread + PDB via Helm values - crowdsec LAPI: add topology spread + PDB via Helm values - authentik server: add topology spread via Helm values - authentik worker: add topology spread + PDB via Helm values
2026-03-08 18:17:46 +00:00 · 2026-03-08 18:17:46 +00:00 · d352d6e7f8
commit d352d6e7f8
parent ead33b23dd
19 changed files with 154 additions and 18 deletions
--- a/stacks/platform/modules/monitoring/caretta.tf
+++ b/stacks/platform/modules/monitoring/caretta.tf
@ -14,6 +14,16 @@ resource "helm_release" "caretta" {
    victoria-metrics-single = {
      enabled = false
    }
+    resources = {
+      requests = {
+        cpu    = "10m"
+        memory = "300Mi"
+      }
+      limits = {
+        cpu    = "200m"
+        memory = "512Mi"
+      }
+    }
  })]
 }

--- a/stacks/platform/modules/monitoring/grafana_chart_values.yaml
+++ b/stacks/platform/modules/monitoring/grafana_chart_values.yaml
@ -9,6 +9,15 @@ resources:
  limits:
    cpu: 500m
    memory: 512Mi
+topologySpreadConstraints:
+  - maxSkew: 1
+    topologyKey: kubernetes.io/hostname
+    whenUnsatisfiable: ScheduleAnyway
+    labelSelector:
+      matchLabels:
+        app.kubernetes.io/name: grafana
+podDisruptionBudget:
+  maxUnavailable: 1
 persistence:
  enabled: false # using external mysql
  existingClaim: "grafana-pvc"
--- a/stacks/platform/modules/monitoring/main.tf
+++ b/stacks/platform/modules/monitoring/main.tf
@ -211,8 +211,8 @@ resource "kubernetes_resource_quota" "monitoring" {
    hard = {
      "requests.cpu"    = "16"
      "requests.memory" = "16Gi"
-      "limits.cpu"      = "120"
-      "limits.memory"   = "240Gi"
+      "limits.cpu"      = "64"
+      "limits.memory"   = "64Gi"
      pods              = "100"
    }
  }